The SolarWinds supply chain attack, named SUNBURST by FireEye and Solorigate by Microsoft, has affected a large number of companies such as FireEye, Google, and Microsoft. The attack involved an APT group which compromised an update server for the SolarWinds Orion product line, inserting a malicious backdoor.
As our contribution in responding to this attack, we used Elemendar’s AI analyst to process three cyber threat intelligence (CTI) reports from multiple security vendors.
This report focuses on indicators of compromise (IOCs) due to the need for these IOCs to be processed rapidly to detect and mitigate potential network breaches within a company. The results output by Elemendar are posted at the end of this report.
One observation is that no single CTI report has a complete listing of IOCs, with some listing malicious C2 domains while others listing malicious file hashes. Therefore, for a human security analyst to gain a full listing of IOCs, multiple reports must be manually processed, in detail, and without mistakes. While we selected three reports for this exercise to avoid a large data dump, ideally a larger number of reports would be used to ensure that all IOCs were collected.
With a human analyst, this takes time, while Elemendar’s AI can analyse multiple reports simultaneously and tag all relevant information in a fraction of the time a human analyst could process the same reports. Human analysts are also prone to mistakes. It is all too easy for a file hash to be labelled as a filename or to mistype a value, especially when time is of the essence.
The analysis of the CTI reports listed was conducted using only results output by the Elemendar trial. It took less than 30 seconds to receive all outputted reports via email.
The advantage of being able to quickly ingest a large number of CTI reports quickly is that the results of these reports can easily be cross-referenced against each other to ensure the accuracy of data within the reports. Even with the very small sample size given in this report, four of the five SHA1 hashes within the Trend Micro report can be seen in the Reversing Labs report and similar with the malicious domains in the Trend Micro and McAfee reports.
Many thanks to Reversing labs, Trend Micro and McAfee for their prompt publishing of essential security research. We hope that this meta-report will help defenders implement these actionable insights even faster.
Lee Jones – CTI Analyst – Elemendar
Elemendar CTI report analysis
Reversing labs report
CTI Report:
https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth
STIX2 Report: https://trial.elemendar.com/stix/bundle–2a844dad-f1f4-4bf9-a499-8ec500388326
Malicious filenames
solarwinds.orionimprovement.client.dll
solarwinds.orion.core.businesslayer.dll
SHA1 file hashes
22719783b2469ad312a40c1b200dd24d6a03618d
76640508b1e7759e548771a5359eaed353bf1eec
2f1a5a7411d015d01aaee4535835400191645023
5e643654179e8b4cfe1d3c1906a90a4c8d611cea
1b476f58ca366b54f34d714ffce3fd73cc30db1a
d130bd75645c2433f88ac03e73395fba172ef676
Windows processes used
advapi32.dll
kernel32.dll
Trend Micro report
CTI Report: https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html
STIX2 Report: https://trial.elemendar.com/stix/bundle–91490614-27ca-4074-9f1e-5f866b6dae98
Malicious domains
avsvmcloud.com
databasegalore.com
panhardware.com
incomeupdate.com
highdatabase.com
deftsecurity.com
zupertech.com
thedoccloud.com
SHA256 file hashes
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
SHA1 file hashes
d130bd75645c2433f88ac03e73395fba172ef676
2f1a5a7411d015d01aaee4535835400191645023
1b476f58ca366b54f34d714ffce3fd73cc30db1a
76640508b1e7759e548771a5359eaed353bf1eec
75af292f34789a1c782ea36c7127bf6106f595e8
McAfee report
CTI Report: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/
STIX2 Report: https://trial.elemendar.com/stix/bundle–ede93a93-872b-404d-bde1-439b46a8facb
Malicious domains
incomeupdate.com
panhardware.com
highdatabase.com
avsvmcloud.com
thedoccloud.com
databasegalore.com
zupertech.com
deftsecurity.com
digitalcollege.org
websitetheme.com
virtualdataserver.com
Malicious filenames
solarwinds.orion.core.businesslayer.dll